Set a Cost of 10 for the primary interface and 100 for the secondary interface.

Configuring firewall addresses on FortiGate 2

Go to Policy & Objects > Addresses.

Create/Edit the subnets behind FortiGate 1 and FortiGate 2.

Create/Edit the primary and secondary interfaces of FortiGate 2.

Configuring security policies on FortiGate 2

Go to Policy & Objects > IPv4 Policy.

Create the four security policies required for both FortiGate 2’s primary and secondary interfaces to connect to FortiGate 1’s primary and secondary interfaces.

Results

Go to Monitor > IPsec Monitor to verify the statuses of both the primary and secondary IPsec VPN tunnels on FortiGate 1 and FortiGate 2.

Go to Monitor > Routing Monitor. Monitor to verify the routing table on FortiGate 1 and FortiGate 2. Type OSPF for the Type and select ApplyFilter to verify the OSPF route.

Verify that traffic flows via the primary tunnel:

From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP address 10.21.1.00 behind FortiGate 2 and vise versa.

From PC1, you should see that the traffic goes through 10.1.1.2 which is the primary tunnel interface IP set on FortiGate 2.

From PC2, you should see the traffic goes through 10.1.1.1 which is the primary tunnel interface IP set on FortiGate 1.

The VPN network between the two OSPF networks uses the primary VPN connection. Disconnect the wan1 interface and confirm that the secondary tunnel will be used automatically to maintain a secure connection.

Verify the IPsec VPN tunnel statuses on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP.